One to watch?

May 1st, 2007 by sjan

Sun is proposing an alternative to AJAX, called Project Flair, which is set for early release later this year. In an InfoWorld article, Sun engineer and principal investor Dan Ingalls describes it as being more like the old style of of desktop application programming (using a JavaScript programming kernel) that adds collaboration and web access.

How this actually ends up performing is anyone’s guess, but I’ll be keeping an eye out for it.

Technorati Tags: , ,

Web 2.0 Attack – AJAX Vulnerable to JavaScript Hijacking

April 2nd, 2007 by sjan

A white paper from Fortify Software outlines a major Web 2.0 Vulnerability. According to the white paper, all current frameworks that use JSON for data communications are vulnerable. They have released the information to all the major framework developers so that this can be addressed within the AJAX frameworks. They noted, however, that one quarter of the participants in an AJAX survey hosted by Fortify did not use any framework at all. Fortify recommend a two-pronged mitigation approach:

  • Include a hard-to-guess identifier, such as the session identifier, as part of each request that will return JavaScript. This defeats cross-site request forgery attacks by allowing theserver to validate the origin of the request.
  • Include characters in the response that prevent it from being successfully handed off to a JavaScript interpreter without modification. This prevents an attacker from using a <script> tag to witness the execution of the JavaScript.

Computer Business Review has a more extensive write-up available.

Technorati Tags: , ,

Bookmarklet and Google Gadget for

December 19th, 2006 by sjan

I ran across the Online Etymology Dictionary the other day and was blown away by the well-designed and incredibly useful service they offer. Of course, it’s much nicer to have access to that functionality at a click, so of course I created a Firefox/Mozilla bookmarklet. But I wanted to have the same thing available on my Google homepage, right next to the Dictionary search box and the Wikipedia search box, so I created a “Google Gadget” for it as well.

To use the bookmarklet, drag the link below into your Firefox/Mozilla bookmarks bar.

Find Etymology

To use the “Google Gadget” go to your Google homepage, click on the “Add Stuff” link, click on “Add by URL” and enter


Peter Nederlof’s whatever:hover to the rescue!

April 16th, 2006 by sjan

Well, I found a way to do CSS2 drop-down menus and force IE to accept them. It takes a little bit of JavaScript madness created by Peter Nederlof called which forces IE to accept the :hover psuedo-class for any element (as is the spec for CSS2).

While it uses IE specific tricks to make it work, it can be done in such a way as to not break in other browsers. (In other words, the changes are only applied if the browser is IE.)

There is a handy tutorial at SEOConsultants that was incredibly helpful. bookmarklet version 2

March 14th, 2006 by sjan

Nothing all that exciting, just made a version of the bookmarklet that opens the result in a new window.

Here they both are:
Search in a new window

Mozilla / Firefox bookmarklet for

March 8th, 2006 by sjan

If you haven’t yet heard, there is a nifty new site, , that helps you find sites similar to what you are currently looking at. As the site author puts it:

This is a mashup of and It’s an experiment on my part to see whether I can quickly find relevant web sites based on people’s tags/bookmarks on, using the engine from It answers the question “people who tagged this site also tagged what other sites”. I am using it mostly to find blogs that are similar to the ones I read, and to find new popular web sites that are in my area.

To make things easier I have created a Mozilla / Firefox bookmarklet. To add this just click and drag the link below to your bookmark bar.


Web-based editing with TinyMCE

January 23rd, 2006 by sjan

While it’s not specific to PHP, I have found what is perhaps the best web-based WYSISYG editor going: TinyMCE. The only reason I am mentioning it here is because of the framework I built behind it.

The goal was to build an admin page for “blosxom-ish” blogs (like Blosxom, pyBlosxom, phpBlosxom, etc) that use text files for entries. The inital idea was to do it in Python/PSP using mod_python. I quickly abandoned this for the following reasons:

  1. No matter what I tried, I could not get the PSP include directive to work.
  2. The mod_python PSP documentation is sparse and generally not helpful.
  3. I wanted to bang it out and get it done, and I am already familiar with PHP enough to be comfortable with it.

I do have plans to re-implement in a Python cgi-style format, and will offer it to the community at large at that time, but until then this version seems to be working ok for me (at least at the moment).

If you would like a copy of the source for this (WARNING! It is not commented and seriously shows the signs of being hacked out in one evening!) drop me a line and let me know.

By the way: I almost forgot the important part. What is it that makes me think TinyMCE is the best web-based WYSIWYG editor? The fact that it generates <p> tags for paragraphs (rather than stuffing in a couple <br>s), uses <strong> and <em> rather than <b> and <i>, has a working link and image insertion tool, a preview button, and it applies itself to all the textareas in a form page without jumping through a bunch of hoops with id and style attributes. Generally it produces valid HTML 4.0 Transitional. (I think it could be tweaked to produce valid XHTML 1.x Strict, though.)

So what could be tweaked?

  • The “tidy” tool doesn’t strip out the M$ Word class=”MsoNormal” attributes when pasting from Word.
    • Possible fix for now: strip those out in the back-end processing
    • Long-term fix: Find the javascript code that does the tidying and add the logic to delete the Mso* attributes.
  • It uses <font> tags rather that <style> tages to apply color and font-face changes.
    • Possible fix for now: replace the <font color=”#??????”> tags with <span style=”color:#??????;”> in the backend.
    • Avoid using font face changes and allow the css of the site that is going to be displaying the page handle it.
    • Long-term fix: Find the javascript code that produces the font tags and replace it with span.

Overall, it does what it says, and that makes it another of those things that I like: stuff that works!